PT-2025-20515 · Linux+5 · Linux Kernel+5

Russell King

·

Published

2025-04-17

·

Updated

2026-04-20

·

CVE-2025-37865

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A vulnerability in the Linux kernel has been resolved, related to the deletion of VLANs when MST is unsupported. The issue arises from the mv88e6xxx port vlan leave() function, which attempts to find an MST entry associated with the SID but fails and returns -ENOENT. This is because some chip implementations do not populate vlan.sid, leading to the use of garbage SID values. The fix involves testing for sid == 0 to cover non-bridge VLANs or bridge VLANs mapped to the default MSTI, and adding a test for mv88e6xxx has stu() inside mv88e6xxx mst put() to avoid accessing uninitialized memory.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-908CWE-681

Related Identifiers

BDU:2025-12275
CVE-2025-37865
DLA-4193-1
ECHO-E1CE-691B-46ED
OESA-2025-1878
OESA-2025-1879
OESA-2025-1880
SUSE-SU-2025:02249-1
SUSE-SU-2025:02254-1
SUSE-SU-2025:02307-1
SUSE-SU-2025:02333-1
SUSE-SU-2025:02335-1
SUSE-SU-2025:02538-1
SUSE-SU-2025:02923-1
SUSE-SU-2025:20413-1
SUSE-SU-2025:20421-1
SUSE-SU-2025_02249-1
SUSE-SU-2025_02254-1
SUSE-SU-2025_02307-1
SUSE-SU-2025_02333-1
SUSE-SU-2025_02335-1
SUSE-SU-2025_02538-1
USN-7594-1
USN-7594-2
USN-7594-3
USN-8028-1
USN-8028-2
USN-8028-3
USN-8028-4
USN-8028-5
USN-8028-6
USN-8028-7
USN-8028-8
USN-8031-1
USN-8031-2
USN-8031-3
USN-8052-1
USN-8052-2
USN-8074-1
USN-8074-2
USN-8126-1

Affected Products

Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu